Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Privileged Container Deployed

Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Leo TsaousisCreated Tue Mar 26c5cd1b20-36bb-488d-8c05-486be3d0cb97application
Log Source
Kubernetesapplicationaudit
ProductKubernetes← raw: kubernetes
Categoryapplication← raw: application
Serviceaudit← raw: audit
Detection Logic
Detection Logic1 selector
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
microsoft.github.io
2
Resolving title…
docs.aws.amazon.com
3
Resolving title…
elastic.co
4
Resolving title…
elastic.co
MITRE ATT&CK
Rule Metadata
Rule ID
c5cd1b20-36bb-488d-8c05-486be3d0cb97
Status
test
Level
low
Type
Detection
Created
Tue Mar 26
Author
Leo Tsaousis
Path
rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml
Raw Tags
attack.t1611attack.privilege-escalation
View on GitHub